FluentSecurity
FluentSecurity copied to clipboard
kristofferahl
Inherit AuthorizeAttribute so 3rd parties can identify FluentSecurity as an authorization component
As mentioned in #72, MvcSiteMapProvider can automatically pick up the authorization settings from FluentSecurity if it inherits AuthorizeAttribute.
Per this post, there are many built-in types in the MVC framework (and potentially by 3rd parties) that implement IAuthorizationFilter (including Controller), and most of these types do not provide any authorization capability. The only positive way to identify that a component is for MVC authorization is if it inherits AuthorizeAttribute. Since that is exactly what FluentSecurity does, it should inherit AuthorizeAttribute.
Although, admittedly on your side of the fence this looks a little like a hack because of the hidden properties, this fix creates the ideal scenario.
- If you install FluentSecurity, it will work.
- If you install MvcSiteMapProvider, it will work.
- If you install FluentSecurity and MvcSiteMapProvider, they will automatically interact.
- There are no dependencies required between the two libraries.
- There are no special cases in either library.
- There is no special configuration required for either library to make them interact.
- Other 3rd party components can potentially pick up FluentSecurity automatically, as well.
Do note that I put the property hiding in a separate commit in case you want to do it another way. Also note that the Order, Roles, and Users properties are only hidden if you access the library from another solution, but they are visible within the FluentSecuirty solution. If desired, you could also hide the protected members of AuthorizeAttribute so they aren't visible to inheritors of HandleSecurityAttribute.
This change is completely backward compatible with the current implementation.
I tested it with MvcSiteMapProvider and it is working. I also verified the build script is working.
Thanks for the pull-request. I've added some comment about this to the original issue (#72: Why doesn't HandleSecurityAttribute inherit AuthorizeAttribute?)
